From Lundman Wiki
Jump to: navigation, search


My old amp (home cinema audio system) died, so this gave me a chance to buy a new set.

I bought the Pioneer MCS-434 - mainly as it was in the rough price bracket I was willing to pay for. (Ie, not too much).

This appear to share firmware file with these models:


and the file itself is named BD-HTS5_Vxxx

I don't care that it has a bluray player in it (but had no models without in the store) but that it could do UPNP Media devices was a nice surprise.

I found it working rather well with llink. Some minor troubles.

  • trickplay, ie, fast-forward and chapter skip did not work. llink was not sending the full DLNA flags required.
  • ObjID has a maximum length of 64 chars. Even though the spec has no limit, clearly the Pioneer does. Use shorter paths.
  • Refreshing (adding, or removing contents from a directory) does not work right.

The last issue is the only one I was unable to fix. The Pioneer subscribes to events in UPNP to be notified when ContainerID has been updated. llink informs it of that, and the Pioneer re-issues a listing, as you would expect.

But what it asks for in the listing is only 1 item. Ie, StartingIndex=1, RequestedCount=1. And no sorting. After that, it just stops. It is confusing as to what it expects to get here. I have sent a whole new record, as well as updated timestamps etc. But it also fails to refresh against Windows Media Center, so I think it is just plain broken.

I have attempted to contact Pioneer, and the developer of IPI/1.0 UPnP/1.0 DLNADOC/1.50 but I have had no replies.

So, attempting to gain access myself.


The first file of the firmware is quite straight forward:

# binwalk MCS838_V00.38.bin 

DECIMAL         HEX             DESCRIPTION
66580           0x10414         Mediatek bootloader
119052          0x1D10C         Mediatek bootloader
425000          0x67C28         U-Boot boot loader reference{
521792          0x7F640         uImage header, header size: 64 bytes, header CRC: 0xAC601819, created: Mon Oct  7 01:20:36 2013, image size: 1815444 bytes, Data Address: 0x3A00000, Entry Point: 0x3A00000, data CRC: 0xAD70A84B, OS: Linux,  CPU: ARM, image type: OS Kernel Image, compression type: none, image name: ""
539189          0x83A35         gzip compressed data, maximum compression, from Unix, last modified: Mon Oct  7 01:17:17 2013{file-epoch:1381076237}

4265104         0x411490        Squashfs filesystem, little endian, version 4.0, compression:gzip, size: 65376434 bytes, {file-size:65376434} 1189 inodes, blocksize: 65536 bytes, created: Mon Oct  7 01:46:24 2013 {
69772432        0x428A490       PNG image, 1920 x 1080, 8-bit/color RGB, non-interlaced
69810320        0x4293890       PNG image, 720 x 480, 8-bit/color RGB, non-interlaced
69834368        0x4299680       U-Boot boot loader reference{

Unpacking the squashfs, the bulk of the GUI code appears to be in;

-rwxr-xr-x  1 lundman  admin  20197340 Oct  7 01:45 usr/local/bin/bdpprog

and it would appear that it has some sort of secret code, based on;

telnetd invoked ok
telnetd invoked failed

But IDA has not revealed anything that works. My best guess was

g_onekey_load_secret_input DCD 0x20103

Ie, 0 2 1 3, at the place where it prints the mcu and dsp versions. But that alone does not appear to work. Also checks for 0x03010200

I could roll my own firmware file, with telnetd running, and figure out whatever checksums they might have, but not that much time.

Preferably, Pioneer fixes the last issue and I don't have to do any of this :)